Chapter 5: CS-MARS Appliance Setup and Configuration

Cisco Press

1 2 3 4 Page 4
Page 4 of 4

The addition of vulnerability scanning enhances the already considerable capability of CS-MARS to tell the difference between a real attack sequence and a false-positive attack sequence.

NetFlow Configuration

Simply speaking, NetFlow is a core technology built into many Cisco routers that reports the number of flows on a per-port, per-IP address basis (source and destination). Cisco defines NetFlow as follows:

[NetFlow] efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.

Note - For an in-depth discussion of NetFlow, go to on the Cisco website.

Most security experts agree that NetFlow in a CS-MARS environment adds substantial value because its rate of false positives is very low and its capability to recognize previously unknown attacks is very high. Chapter 4 discusses NetFlow and how it is used in conjunction with CS-MARS.

Enabling NetFlow on a CS-MARS appliance is a straightforward task.

Step 1 First you must navigate to the Admin > System Setup > Device Configuration and Discover Information > NetFlow Config Info panel.

Step 2 Enter the port that will listen for NetFlow data. The default is UDP 2055, but NetFlow is user configurable on routers, so you might want to verify with a network engineer which port is being used for NetFlow.

Step 3 The next option enables or disables NetFlow on the CS-MARS device. The collection and processing of NetFlow data is enabled by default. If your network is not NetFlow enabled, select No.

Step 4 The next selection provides you with an option to store NetFlow records. If you select Yes, this tells CS-MARS that you want to store every NetFlow record. This can potentially slow down your CS-MARS system because it has to write many more events than if you select No. If you select No, you are telling CS-MARS that you want to store only NetFlow traffic that represents an anomaly or is part of a session that triggered a Step 4 rule. Generally, unless dictated by industry or government regulations, you select No for this option. If you select Yes to store NetFlow data, your CS-MARS counts every flow as an event, thus impacting your CS-MARS appliance EPS rate.

Step 5 The last option is to define which networks you want to evaluate NetFlow data. Because flow anomalies can show up on any device that might inadvertently run malicious software or might be misconfigured, a best practice is to define all the networks over which CS-MARS will be reporting. If this table is left blank, CS-MARS will process flows for all subnets that it learns about.

Step 6 After all the data is entered, select Submit to enable NetFlow. This readies your CS-MARS device to listen for NetFlow data. At this point in the setup, you haven't yet configured any devices to send NetFlow, so this won't have an impact on your CS-MARS reporting until you configure your routers as described in Chapter 6.

Figure 5-12 shows the completed NetFlow configuration panel.

Step 7 Click Activate on the top-right side of the CS-MARS page.

Figure 5.12

Figure 5-12

CS-MARS NetFlow Configuration Panel

Dynamic Vulnerability Scanning Configuration

Vulnerability scanning is a feature that vastly increases the accuracy of CS-MARS threat reporting.

When vulnerability scanning is enabled on your CS-MARS device, CS-MARS will not conduct a vulnerability scan until a rule is triggered as a result of an event or session.

Configuring CS-MARS to conduct dynamic vulnerability scanning is a very simple process (see Figure 5-13):

Step 1 Browse to Admin > System Setup > CS-MARS Setup and click Networks for Dynamic Vulnerability Scanning (Optional).

Step 2 Select the radio button for the method you want to use to enter the network or IP range of the systems in which you want scanning to be enabled.

Step 3 Use the drop-down box to select the network of your choice, manually enter the network and mask, or manually enter a range of IP addresses.

Step 4 Click the Add button to add your selection to the pane. Click the Remove button if you want to remove your selection.

Step 5 Repeat steps 2 through 4 until you have entered all networks or IP ranges you want to have scanned.

Step 6 Click the Submit button to submit your changes.

Step 7 Click the Activate button at the top-right corner of the web page to activate your configuration. When a new popup widow appears indicating that activation is done, click the Close button to close the new window.

Note - Clicking the Info button on this page opens a new window with a brief explanation of vulnerability scanning on CS-MARS.

For a more detailed description of vulnerability scanning, see Chapter 4.

Figure 5.13

Figure 5-13

CS-MARS Dynamic Vulnerability Scanning Configuration GUI

Configuring CS-MARS System Maintenance

At this point in your configuration process, CS-MARS has been configured to be ready to collect syslog messages and events, accurately correlate data, and respond to threats. You still need to configure the network devices and applications, but that is covered in Chapter 6.

This section of this chapter doesn't require you to make any changes on the CS-MARS device; it's just informational. You will learn about the global system variables in CS-MARS. All parameters should be set to the default unless you need to archive or retrieve data.

To configure or view maintenance parameters for CS-MARS, you must navigate to the Admin > System Maintenance panel. From this panel, you have the option to configure the following:

  • License keys

  • Upgrades

  • Certificates

  • Runtime logging levels

  • Viewing of archived or current log files

  • Viewing of the audit trail

  • Retrieval of raw messages

  • Data archiving

License keys This panel is useful if you need to configure a license key on your CS-MARS device. You simply enter the key and click Submit. If you have to do a pnreset on your CS-MARS box, you will lose the license key. Before running pnreset, you should go to this panel and write down the key. Then when pnreset is completed, come back to this panel and enter the license key.

Upgrades This panel is used to upgrade the CS-MARS system software. You must first put the upgrade package on an FTP or HTTPS server. Then enter the server's IP address, username, password, path, package name of the CS-MARS upgrade file, and server type.

Certificates This panel is used to import Global Controller certificates and export Local Controller certificates for input to a Global Controller. See the MARS 4.1 Local Controller Users Guide for more information.

Runtime logging levels This panel is used to set the logging levels of your CS-MARS internal system logs. These levels should be set to the default unless requested by the Cisco TAC or Cisco engineering for troubleshooting purposes. Each entry that you see on this panel is a software process running in the CS-MARS operating system; the default logging level for all entries is set to trace.

Viewing of the appliance's log files Using this panel, you can view the logs of the CS-MARS system processes. These logs show processes and process threads starting and stopping. Under normal circumstances, these logs are used only by Cisco TAC and Cisco engineering teams.

Viewing of the audit trail This panel enables you to do a query to see what operations were performed by which users on a CS-MARS device. This log shows whether a new user is added or any device database information is changed. This audit log satisfies many requirements as defined by industry or federal regulations.

Retrieval of raw messages This panel can be used to selectively retrieve raw log data that CS-MARS has received from a device in its database or archived files. You specify a time range and the name of the device whose data you need to view. A text file of the resulting data is zipped, and you are offered an option to download it to your workstation for further analysis. This operation can be done from either your CS-MARS Local Controller database or a device that has been defined as an archive location. This feature also satisfies many requirements as defined by industry or federal regulations.

Data archiving This panel enables you to define an NFS server and a location on the server to archive CS-MARS data. You also have an option on this panel to define the length of time you would like to store the CS-MARS data on the archive server. One consideration that you need to carefully examine is planning the remote storage capacity and setting the number of days of data to store on the archive location. It might take some ongoing changes before you're satisfied with the balance between the length of time and the amount of data that you are storing on the archive server.

Configuring System Parameters

System parameters define the miscellaneous global variables such as polling intervals and authentication prompts. But this section highlights a new feature in system parameters, called distributed threat management.

These parameters can be configured or viewed in the Admin > System Parameter panel.

  • Windows event log pulling time interval

  • TACACS/AAA server prompts

  • Oracle event log pulling time interval

  • Distributed threat mitigation settings

  • Proxy settings

Windows event log pulling time interval This parameter defines how often CS-MARS will pull event logs from devices that are running the Windows operating system. These event logs can be valuable in discovering Microsoft Windows attacks such as brute-force password attacks. CS-MARS indicates this by correlating several Microsoft events that identify failed password attempts. CS-MARS generates incidents to reflect the source IP addresses that generate the failed login attempts and makes a recommendation to put an access list in a router to prevent those failed attempts from reaching their destination. Because the source is identified, threat responders can evaluate and take action on the system or systems that are sourcing the attack. The default polling interval is 300 seconds, or 5 minutes. If you want to lower this parameter, keep in mind that it's possible, depending on the number of hosts you have, that network traffic volume could drastically increase. Most customers find that the default is adequate.

A best practice when polling Microsoft servers and workstations for their security event logs is to take the log data from the domain controller(s) in the network. This drastically reduces the risk of saturating your network with event log data. To accomplish this, you must configure your servers and workstations to send their log data to their respective domain controllers.

TACACS/AAA server prompts When your network devices use a TACACS/AAA server for user management and access controls, often network administrators choose to modify the login prompts on the remote devices. If the login prompts are modified from the original device defaults, CS-MARS needs to know the new prompts. This setting allows CS-MARS to use the changed prompts to gain access to your network devices for required data and mitigation.

Oracle event log pulling time interval This setting behaves essentially the same as the one for Windows polling, except it is applied to Oracle database log pulling.

Distributed threat mitigation (DTM) settings DTM is a new feature in CS-MARS 4.1 that polls Cisco IPS appliances to find out what events are firing most frequently. When CS-MARS determines this information, it calculates the top signatures and pushes the signature-definition files to IOS routers that are capable of running fully functional IPS code.

Proxy settings This setting configures CS-MARS to communicate with devices through a proxy server. This would be needed, for example, if your organization uses a proxy server for Internet control and security, and you have DNS servers and an IDS device on your DMZ. CS-MARS would need to use the DNS server for DNS resolution and to communicate with the IDS device on the DMZ. Thus, CS-MARS needs proxy settings and an access account.


This chapter covered the basic functions of installing and configuring the CS-MARS appliance.

You learned that a critical first step is determining the placement of CS-MARS in your network. The basic premise is that, according to safe guidelines, CS-MARS should be placed in out-of-band networks when possible. If it's not possible to put CS-MARS out-of-band, you want to ensure that communications between CS-MARS and its management devices and reporting devices are encrypted to protect against network sniffing.

In addition to deployment considerations, this chapter described the steps necessary for the initial configuration and setup of high-level system parameters that enable CS-MARS as an STM system.

In Chapter 6, you will learn how to configure your network devices and hosts to communicate with your CS-MARS device. Enabling communications with these devices will make your CS-MARS device a fully functional threat-response system.

Copyright © 2007 Pearson Education. All rights reserved.

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
SD-WAN buyers guide: Key questions to ask vendors (and yourself)